tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-28 00:04:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ent-7602-XSS-nombre-consolas-visuales' into 'develop'

Browse Source 
Improved code and fix xss vulnerability

Closes pandora_enterprise#7602

See merge request artica/pandorafms!4157
This commit is contained in:
Daniel Rodriguez 2021-06-03 11:37:15 +00:00
commit 5040b4b265
1 changed files with 22 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
pandora_console/operation/visual_console/view.php
View File

@ -1,9 +1,8 @@
<?php <?php
/** /**
* Extension to manage a list of gateways and the node address where they should * Actual View script for Visual Consoles.
* point to.
* *
* @category Extensions * @category Operation
* @package Pandora FMS * @package Pandora FMS
* @subpackage Community * @subpackage Community
* @version 1.0.0 * @version 1.0.0
@ -27,6 +26,7 @@
* ============================================================================ * ============================================================================
*/ */
// Begin.
global $config; global $config;
// Login check. // Login check.
@ -93,14 +93,14 @@ try {
$visualConsoleData = $visualConsole->toArray(); $visualConsoleData = $visualConsole->toArray();
$groupId = $visualConsoleData['groupId']; $groupId = $visualConsoleData['groupId'];
$visualConsoleName = $visualConsoleData['name']; $visualConsoleName = io_safe_input(strip_tags(io_safe_output($visualConsoleData['name'])));
// ACL. // ACL.
$aclRead = check_acl_restricted_all($config['id_user'], $groupId, 'VR'); $aclRead = (bool) check_acl_restricted_all($config['id_user'], $groupId, 'VR');
$aclWrite = check_acl_restricted_all($config['id_user'], $groupId, 'VW'); $aclWrite = (bool) check_acl_restricted_all($config['id_user'], $groupId, 'VW');
$aclManage = check_acl_restricted_all($config['id_user'], $groupId, 'VM'); $aclManage = (bool) check_acl_restricted_all($config['id_user'], $groupId, 'VM');
if (!$aclRead && !$aclWrite && !$aclManage) { if ($aclRead === false && $aclWrite === false && $aclManage === false) {
db_pandora_audit( db_pandora_audit(
'ACL Violation', 'ACL Violation',
'Trying to access visual console without group access' 'Trying to access visual console without group access'
@ -121,9 +121,9 @@ $options['consoles_list']['text'] = '<a href="index.php?sec=network&sec2=godmode
] ]
).'</a>'; ).'</a>';
if ($aclWrite || $aclManage) { if ($aclWrite === true || $aclManage === true) {
$action = get_parameterBetweenListValues( $action = get_parameterBetweenListValues(
is_metaconsole() ? 'action2' : 'action', (is_metaconsole() === true) ? 'action2' : 'action',
[ [
'new', 'new',
'save', 'save',
@ -167,7 +167,7 @@ if ($aclWrite || $aclManage) {
] ]
).'</a>'; ).'</a>';
if (enterprise_installed()) { if (enterprise_installed() === true) {
$options['wizard_services']['text'] = '<a href="'.$baseUrl.'&tab=wizard_services&id_visual_console='.$visualConsoleId.'">'.html_print_image( $options['wizard_services']['text'] = '<a href="'.$baseUrl.'&tab=wizard_services&id_visual_console='.$visualConsoleId.'">'.html_print_image(
'images/wand_services.png', 'images/wand_services.png',
true, true,
@ -380,7 +380,7 @@ if ($pure === false) {
echo '</div>'; echo '</div>';
echo '</div>'; echo '</div>';
if ($aclWrite || $aclManage) { if ($aclWrite === true || $aclManage === true) {
echo html_print_checkbox_switch('edit-mode', 1, false, true); echo html_print_checkbox_switch('edit-mode', 1, false, true);
} }
@ -406,7 +406,7 @@ if ($pure === true) {
// Quit fullscreen. // Quit fullscreen.
echo '<li class="nomn">'; echo '<li class="nomn">';
if (is_metaconsole()) { if (is_metaconsole() === true) {
$urlNoFull = 'index.php?sec=screen&sec2=screens/screens&action=visualmap&pure=0&id_visualmap='.$visualConsoleId.'&refr='.$refr; $urlNoFull = 'index.php?sec=screen&sec2=screens/screens&action=visualmap&pure=0&id_visualmap='.$visualConsoleId.'&refr='.$refr;
} else { } else {
$urlNoFull = 'index.php?sec=network&sec2=operation/visual_console/render_view&id='.$visualConsoleId.'&refr='.$refr; $urlNoFull = 'index.php?sec=network&sec2=operation/visual_console/render_view&id='.$visualConsoleId.'&refr='.$refr;
@ -419,7 +419,7 @@ if ($pure === true) {
// Countdown. // Countdown.
echo '<li class="nomn">'; echo '<li class="nomn">';
if (is_metaconsole()) { if (is_metaconsole() === true) {
echo '<div class="vc-refr-meta">'; echo '<div class="vc-refr-meta">';
} else { } else {
echo '<div class="vc-refr">'; echo '<div class="vc-refr">';
@ -444,11 +444,13 @@ if ($pure === true) {
// Console name. // Console name.
echo '<li class="nomn">'; echo '<li class="nomn">';
if (is_metaconsole()) {
echo '<div class="vc-title-meta">'.$visualConsoleName.'</div>'; html_print_div(
} else { [
echo '<div class="vc-title">'.$visualConsoleName.'</div>'; 'class' => (is_metaconsole() === true) ? 'vc-title-meta' : 'vc-title',
} 'content' => $visualConsoleName,
]
);
echo '</li>'; echo '</li>';
@ -501,7 +503,7 @@ ui_require_css_file('form');
<script type="text/javascript"> <script type="text/javascript">
var container = document.getElementById("visual-console-container"); var container = document.getElementById("visual-console-container");
var props = <?php echo (string) $visualConsole; ?>; var props = <?php echo (string) $visualConsole; ?>;
var items = <?php echo '['.implode($visualConsoleItems, ',').']'; ?>; var items = <?php echo '['.implode(',', $visualConsoleItems).']'; ?>;
var baseUrl = "<?php echo ui_get_full_url('/', false, false, false); ?>"; var baseUrl = "<?php echo ui_get_full_url('/', false, false, false); ?>";
var controls = document.getElementById('vc-controls'); var controls = document.getElementById('vc-controls');
autoHideElement(controls, 1000); autoHideElement(controls, 1000);